OpenStack介绍:
OpenStack是一个由NASA(美国国家航空航天局)和Rackspace合作研发并发起的,以Apache许可证授权的自由软件和开放源代码项目。
OpenStack是一个开源的云计算管理平台项目,由几个主要的组件组合起来完成具体工作。OpenStack支持几乎所有类型的云环境,项目目标是提供实施简单、可大规模扩展、丰富、标准统一的云计算管理平台。OpenStack通过各种互补的服务提供了基础设施即服务(IaaS)的解决方案,每个服务提供API以进行集成。
OpenStack是一个旨在为公共及私有云的建设与管理提供软件的开源项目。它的社区拥有超过130家企业及1350位开发者,这些机构与个人都将OpenStack作为基础设施即服务(IaaS)资源的通用前端。OpenStack项目的首要任务是简化云的部署过程并为其带来良好的可扩展性。本文希望通过提供必要的指导信息,帮助大家利用OpenStack前端来设置及管理自己的公共云或私有云。
OpenStack云计算平台,帮助服务商和企业内部实现类似于 Amazon EC2 和 S3 的云基础架构服务(Infrastructure as a Service, IaaS)。OpenStack 包含两个主要模块:Nova 和 Swift,前者是 NASA 开发的虚拟服务器部署和业务计算模块;后者是 Rackspace开发的分布式云存储模块,两者可以一起用,也可以分开单独用。OpenStack除了有 Rackspace 和 NASA 的大力支持外,还有包括 Dell、Citrix、 Cisco、 Canonical等重量级公司的贡献和支持,发展速度非常快,有取代另一个业界领先开源云平台 Eucalyptus 的态势。
OpenStack官网:
http://www.openstack.org/
实验架构:
环境:
操作系统:
CentOS-7-x86_64-Minimal-1611
OpenStack版本:liberty
linux-node1.smoke.com: 192.168.56.11 控制节点
linux-node2.smoke.com: 192.168.56.12 计算节点
node1:
修改主机名:注意:修改主机名,以后不能更改。
[root@localhost ~]# hostname linux-node1.smoke.com`
[root@localhost ~]# vim /etc/hostname
hostname linux-node1.smoke.com
网卡配置:
[root@linux-node1 ~]# ifconfig
ens33: flags=4163 mtu 1500
inet 192.168.56.11 netmask 255.255.255.0 broadcast 192.168.56.255
inet6 fe80::20c:29ff:fe81:308f prefixlen 64 scopeid 0x20
ether 00:0c:29:81:30:8f txqueuelen 1000 (Ethernet)
RX packets 1198 bytes 105479 (103.0 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1079 bytes 228271 (222.9 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ens37: flags=4163 mtu 1500
inet 192.168.47.136 netmask 255.255.255.0 broadcast 192.168.47.255
inet6 fe80::20c:29ff:fe81:3099 prefixlen 64 scopeid 0x20
ether 00:0c:29:81:30:99 txqueuelen 1000 (Ethernet)
RX packets 20266 bytes 29152833 (27.8 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 4139 bytes 258109 (252.0 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73 mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10
loop txqueuelen 1000 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
添加hosts文件:
[root@linux-node1 ~]# vim /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.56.11 linux-node1 linux-node1.smoke.com
192.168.56.12 linux-node2 linux-node2.smoke.com
时间同步:会影响OpenStack正常运行。
[root@linux-node1 ~]# yum -y install chrony
[root@hostnamelinux-node1 ~]# vim /etc/chrony.conf
[root@hostnamelinux-node1 ~]# cat << EOF > /etc/chrony.conf
server 0.centos.pool.ntp.org iburst
server 1.centos.pool.ntp.org iburst
server 2.centos.pool.ntp.org iburst
server 3.centos.pool.ntp.org iburst
stratumweight 0
driftfile /var/lib/chrony/drift
rtcsync
makestep 10 3
allow 192.168.0.0/16
bindcmdaddress 127.0.0.1
bindcmdaddress ::1
keyfile /etc/chrony.keys
commandkey 1
generatecommandkey
noclientlog
logchange 0.5
logdir /var/log/chrony
EOF
[root@linux-node1 ~]# systemctl enable chronyd.service
[root@linux-node1 ~]# systemctl start chronyd.service
[root@hostnamelinux-node1 ~]# chronyc sources
210 Number of sources = 4
MS Name/IP address Stratum Poll Reach LastRx Last sample
===============================================================================
^+ ntp1.flashdance.cx 2 6 313 96 +17ms[ +37ms] +/- 194ms
^? ntp5.flashdance.cx 2 6 1 38 +30ms[ +49ms] +/- 202ms
^- correo.poashosting.com 2 6 75 38 -45ms[ -25ms] +/- 249ms
^* cn.ntp.faelix.net 2 6 77 36 +25ms[ +45ms] +/- 163ms
设置时区:[root@linux-node1 ~]# timedatectl set-timezone Asia/Shanghai
[root@linux-node1 ~]# date
2018年 09月 30日 星期日 22:33:31 CST
安装MySQL:
我这里使用vault.centos的yum源;
[root@linux-node1 ~]# vim /etc/yum.repos.d/openstack_liberty.repo
[openstack-liberty]
name=openstack-liberty
baseurl=http://vault.centos.org/centos/7.3.1611/cloud/x86_64/openstack-liberty/
gpgcheck=0
gpgkey=http://vault.centos.org/RPM-GPG-KEY-CentOS-7
repo_gpgcheck=0
enabled=1
[root@localhost ~]# yum clean all
[root@localhost ~]# yum makecache
[root@linux-node1 ~]# yum -y install mariadb mariadb-server MySQL-python
[root@linux-node1 ~]# cp /usr/share/mariadb/my-medium.cnf /etc/my.cnf
cp:是否覆盖"/etc/my.cnf"? y
[root@linux-node1 ~]# vim /etc/my.cnf
[mysqld]
default-storage-engine = innodb
innodb_file_per_table
collation-server = utf8_general_ci
init-connect = 'SET NAMES utf8'
character-set-server = utf8
[root@linux-node1 ~]# systemctl enable mariadb.service
Created symlink from /etc/systemd/system/multi-user.target.wants/mariadb.service to /usr/lib/systemd/system/mariadb.service.
[root@linux-node1 ~]# systemctl start mariadb.service
[root@linux-node1 ~]# mysql_secure_installation
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!
In order to log into MariaDB to secure it, we'll need the current
password for the root user. If you've just installed MariaDB, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.
Enter current password for root (enter for none):
OK, successfully used password, moving on...
Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.
Set root password? [Y/n] Y
New password:
Re-enter new password:
Password updated successfully!
Reloading privilege tables..
... Success!
By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them. This is intended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
production environment.
Remove anonymous users? [Y/n] Y
... Success!
Normally, root should only be allowed to connect from 'localhost'. This
ensures that someone cannot guess at the root password from the network.
Disallow root login remotely? [Y/n] Y
... Success!
By default, MariaDB comes with a database named 'test' that anyone can
access. This is also intended only for testing, and should be removed
before moving into a production environment.
Remove test database and access to it? [Y/n] Y
- Dropping test database...
... Success!
- Removing privileges on test database...
... Success!
Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.
Reload privilege tables now? [Y/n] Y
... Success!
Cleaning up...
All done! If you've completed all of the above steps, your MariaDB
installation should now be secure.
Thanks for using MariaDB!
[root@linux-node1 ~]# mysql -uroot -psmoke520
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 11
Server version: 10.1.20-MariaDB MariaDB Server
Copyright (c) 2000, 2016, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
+--------------------+
3 rows in set (0.01 sec)
MariaDB [(none)]> use mysql;
Database changed
MariaDB [mysql]> show tables;
+---------------------------+
| Tables_in_mysql |
+---------------------------+
| column_stats |
| columns_priv |
| db |
| event |
| func |
| general_log |
| gtid_slave_pos |
| help_category |
| help_keyword |
| help_relation |
| help_topic |
| host |
| index_stats |
| innodb_index_stats |
| innodb_table_stats |
| plugin |
| proc |
| procs_priv |
| proxies_priv |
| roles_mapping |
| servers |
| slow_log |
| table_stats |
| tables_priv |
| time_zone |
| time_zone_leap_second |
| time_zone_name |
| time_zone_transition |
| time_zone_transition_type |
| user |
+---------------------------+
30 rows in set (0.01 sec)
MariaDB [mysql]> exit;
Bye
Keystone数据库:
[root@linux-node1 ~]# mysql -uroot -psmoke520 -e "CREATE DATABASE keystone;"
[root@linux-node1 ~]# mysql -uroot -psmoke520 -e "GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'keystone';"
[root@linux-node1 ~]# mysql -uroot -psmoke520 -e "GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'keystone';"
Glance数据库:
[root@linux-node1 ~]# mysql -uroot -psmoke520 -e "CREATE DATABASE glance;"
[root@linux-node1 ~]# mysql -uroot -psmoke520 -e "GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'localhost' IDENTIFIED BY 'glance';"
[root@linux-node1 ~]# mysql -uroot -psmoke520 -e "GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'%' IDENTIFIED BY 'glance';"
Nove数据库:
[root@linux-node1 ~]# mysql -uroot -psmoke520 -e "CREATE DATABASE nova;"
[root@linux-node1 ~]# mysql -uroot -psmoke520 -e "GRANT ALL PRIVILEGES ON nova.* TO 'nova'@'localhost' IDENTIFIED BY 'nova';"
[root@linux-node1 ~]# mysql -uroot -psmoke520 -e "GRANT ALL PRIVILEGES ON nova.* TO 'nova'@'%' IDENTIFIED BY 'nova';"
Neutron数据库:
[root@linux-node1 ~]# mysql -uroot -psmoke520 -e "CREATE DATABASE neutron;"
[root@linux-node1 ~]# mysql -uroot -psmoke520 -e "GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'localhost' IDENTIFIED BY 'neutron';"
[root@linux-node1 ~]# mysql -uroot -psmoke520 -e "GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'%' IDENTIFIED BY 'neutron';"
Cinder数据库:
[root@linux-node1 ~]# mysql -uroot -psmoke520 -e "CREATE DATABASE cinder;"
[root@linux-node1 ~]# mysql -uroot -psmoke520 -e "GRANT ALL PRIVILEGES ON cinder.* TO 'cinder'@'localhost' IDENTIFIED BY 'cinder';"
[root@linux-node1 ~]# mysql -uroot -psmoke520 -e "GRANT ALL PRIVILEGES ON cinder.* TO 'cinder'@'%' IDENTIFIED BY 'cinder';"
[root@linux-node1 ~]# mysql -uroot -psmoke520
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 30
Server version: 10.1.20-MariaDB MariaDB Server
Copyright (c) 2000, 2016, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| cinder |
| glance |
| information_schema |
| keystone |
| mysql |
| neutron |
| nova |
| performance_schema |
+--------------------+
8 rows in set (0.00 sec)
MariaDB [(none)]> exit;
Bye
SOA(面向服务的架构) :
面向服务架构,它可以根据需求通过网络对松散耦合的粗粒度应用组件进行分布式部署、组合和使用。服务层是SOA的基础,可以直接被应用调用,从而有效控制系统中与软件代理交互的人为依赖性。
SOA是一种粗粒度、松耦合服务架构,服务之间通过简单、精确定义接口进行通讯,不涉及底层编程接口和通讯模型。SOA可以看作是B/S模型、XML(标准通用标记语言的子集)/Web Service技术之后的自然延伸。
SOA将能够帮助软件工程师们站在一个新的高度理解企业级架构中的各种组件的开发、部署形式,它将帮助企业系统架构者以更迅速、更可靠、更具重用性架构整个业务系统。较之以往,以SOA架构的系统能够更加从容地面对业务的急剧变化。
体系结构:
松耦合的系统
基本特征:
可从企业外部访问
随时可用
粗粒度的服务接口分级
松散耦合
可重用的服务
服务接口设计管理
标准化的服务接口
支持各种消息模式
精确定义的服务契约
SOA 服务用消息进行通信,该消息通常使用XML Schema来定义(也叫做XSD, XML Schema Definition)。消费者和提供者或消费者和服务之间的通信多见于不知道提供者的环境中。服务间的通讯也可以看作企业内部处理的关键商业文档。
SOA服务通过一个扮演目录列表(directory listing)角色的登记处(Registry)来进行维护。应用程序在登记处(Registry)寻找并调用某项服务。统一描述,定义和集成(UDDI, Universal Description, Definition, and Integration)是服务登记的标准。
安装Message queue(消息队列):
OpenStack支持RabbitMQ,Qpid,ZeroMQ消息队列。[root@linux-node1 ~]# yum -y install rabbitmq-server
如果yum无法安装,可以到官网下载最新包安装,https://github.com/rabbitmq/rabbitmq-server/releases/tag/v3.7.8
rabbitmq-server依赖Erlang:
[root@linux-node1 ~]# vim /etc/yum.repos.d/rabbitmq-erlang.repo
[rabbitmq-erlang]
name=rabbitmq-rlang
baseurl=https://dl.bintray.com/rabbitmq/rpm/erlang/20/el/7
gpgcheck=1
gpgkey=https://dl.bintray.com/rabbitmq/Keys/rabbitmq-release-signing-key.asc
repo_gpgcheck=0
enabled=1
[root@linux-node1 ~]# yum clean all
[root@linux-node1 ~]# yum makecache
[root@linux-node1 ~]# ll
总用量 9340
-rw-------. 1 root root 1245 7月 18 19:48 anaconda-ks.cfg
-rw-r--r-- 1 root root 9557762 10月 1 01:08 rabbitmq-server-3.7.8-1.el7.noarch.rpm
[root@linux-node1 ~]# yum -y install rabbitmq-server-3.7.8-1.el7.noarch.rpm
[root@linux-node1 ~]# systemctl enable rabbitmq-server.service
Created symlink from /etc/systemd/system/multi-user.target.wants/rabbitmq-server.service to /usr/lib/systemd/system/rabbitmq-server.service.
[root@linux-node1 ~]# systemctl start rabbitmq-server.service
rabbitmq端口5672;
[root@linux-node1 ~]# netstat -tnlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:25672 0.0.0.0:* LISTEN 83984/beam.smp
tcp 0 0 0.0.0.0:4369 0.0.0.0:* LISTEN 84140/epmd
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 899/sshd
tcp6 0 0 :::5672 :::* LISTEN 83984/beam.smp
tcp6 0 0 :::3306 :::* LISTEN 11484/mysqld
tcp6 0 0 :::4369 :::* LISTEN 84140/epmd
tcp6 0 0 :::22 :::* LISTEN 899/sshd
添加用户:
[root@linux-node1 ~]# rabbitmqctl add_user openstack openstack
Creating user "openstack" ...
授权用户:
[root@linux-node1 ~]# rabbitmqctl set_permissions openstack ".*" ".*" ".*"
Setting permissions for user "openstack" in vhost "/" ...
安装rabbitmq web插件:
[root@linux-node1 ~]# rabbitmq-plugins list
Configured: E = explicitly enabled; e = implicitly enabled
| Status: * = running on rabbit@linux-node1
|/
[ ] rabbitmq_amqp1_0 3.7.8
[ ] rabbitmq_auth_backend_cache 3.7.8
[ ] rabbitmq_auth_backend_http 3.7.8
[ ] rabbitmq_auth_backend_ldap 3.7.8
[ ] rabbitmq_auth_mechanism_ssl 3.7.8
[ ] rabbitmq_consistent_hash_exchange 3.7.8
[ ] rabbitmq_event_exchange 3.7.8
[ ] rabbitmq_federation 3.7.8
[ ] rabbitmq_federation_management 3.7.8
[ ] rabbitmq_jms_topic_exchange 3.7.8
[ ] rabbitmq_management 3.7.8
[ ] rabbitmq_management_agent 3.7.8
[ ] rabbitmq_mqtt 3.7.8
[ ] rabbitmq_peer_discovery_aws 3.7.8
[ ] rabbitmq_peer_discovery_common 3.7.8
[ ] rabbitmq_peer_discovery_consul 3.7.8
[ ] rabbitmq_peer_discovery_etcd 3.7.8
[ ] rabbitmq_peer_discovery_k8s 3.7.8
[ ] rabbitmq_random_exchange 3.7.8
[ ] rabbitmq_recent_history_exchange 3.7.8
[ ] rabbitmq_sharding 3.7.8
[ ] rabbitmq_shovel 3.7.8
[ ] rabbitmq_shovel_management 3.7.8
[ ] rabbitmq_stomp 3.7.8
[ ] rabbitmq_top 3.7.8
[ ] rabbitmq_tracing 3.7.8
[ ] rabbitmq_trust_store 3.7.8
[ ] rabbitmq_web_dispatch 3.7.8
[ ] rabbitmq_web_mqtt 3.7.8
[ ] rabbitmq_web_mqtt_examples 3.7.8
[ ] rabbitmq_web_stomp 3.7.8
[ ] rabbitmq_web_stomp_examples 3.7.8
[root@linux-node1 ~]# rabbitmq-plugins enable rabbitmq_management
[root@linux-node1 ~]# systemctl restart rabbitmq-server.service
查看rabbitmq web监听端口15672:
[root@linux-node1 ~]# netstat -tnlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:25672 0.0.0.0:* LISTEN 86563/beam.smp
tcp 0 0 0.0.0.0:4369 0.0.0.0:* LISTEN 86759/epmd
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 899/sshd
tcp 0 0 0.0.0.0:15672 0.0.0.0:* LISTEN 86563/beam.smp
tcp6 0 0 :::5672 :::* LISTEN 86563/beam.smp
tcp6 0 0 :::3306 :::* LISTEN 11484/mysqld
tcp6 0 0 :::4369 :::* LISTEN 86759/epmd
tcp6 0 0 :::22 :::* LISTEN 899/sshd
如果无法使用guest登录,设置guest用户可以远程登录;
找到{loopback_users, [<<"guest">>]},修改为{loopback_users,[guest]},
[root@linux-node1 ~]# vim /usr/lib/rabbitmq/lib/rabbitmq_server-3.7.8/ebin/rabbit.app
{loopback_users, [guest]},
通过web登录rabbitmq:默认账号guest,密码guest;
点击openstack用户名--Update this user,password填写openstack,Tags输入框填写administrator(注意大小写),填写完成点击update user;
Ksystone服务:
用户与认证:用户权限与用户行为跟踪;
服务目录:提供一个服务目录,包括所有服务项与相关Api的端点
Glance镜像服务:
用户认证:
User:用户
Tenant:租户 项目
Token:令牌
Role:角色
服务目录:
Service:服务
Endpoint:端点
安装Keystone:[root@linux-node1 ~]# yum -y install -y openstack-keystone httpd mod_wsgi memcached python-memcached
生成随机码:
[root@linux-node1 ~]# openssl rand -hex 10
326ee23c014a46562fd5
[root@linux-node1 ~]# vim /etc/keystone/keystone.conf
[DEFAULT]
admin_token = 326ee23c014a46562fd5
[database]
connection = mysql://keystone:[email protected]/keystone
同步数据库:[root@linux-node1 ~]# su -s /bin/sh -c "keystone-manage db_sync" keystone
同步后会生成keystone.log文件;
[root@linux-node1 ~]# cd /var/log/keystone/
[root@linux-node1 keystone]# ls
keystone.log
[root@linux-node1 keystone]# ll
总用量 8
-rw-r--r--. 1 keystone keystone 7064 10月 4 22:12 keystone.log
[root@linux-node1 ~]# mysql -ukeystone -pkeystone -h192.168.56.11
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 56
Server version: 10.1.20-MariaDB MariaDB Server
Copyright (c) 2000, 2016, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| keystone |
+--------------------+
2 rows in set (0.00 sec)
MariaDB [(none)]> use keystone
Database changed
MariaDB [keystone]> show tables;
+-----------------------------+
| Tables_in_keystone |
+-----------------------------+
| access_token |
| application_credential |
| application_credential_role |
| assignment |
| config_register |
| consumer |
| credential |
| endpoint |
| endpoint_group |
| federated_user |
| federation_protocol |
| group |
| id_mapping |
| identity_provider |
| idp_remote_ids |
| implied_role |
| limit |
| local_user |
| mapping |
| migrate_version |
| nonlocal_user |
| password |
| policy |
| policy_association |
| project |
| project_endpoint |
| project_endpoint_group |
| project_tag |
| region |
| registered_limit |
| request_token |
| revocation_event |
| role |
| sensitive_config |
| service |
| service_provider |
| system_assignment |
| token |
| trust |
| trust_role |
| user |
| user_group_membership |
| user_option |
| whitelisted_config |
+-----------------------------+
44 rows in set (0.00 sec)
MariaDB [keystone]> exit;
Bye
[root@linux-node1 keystone]# cd /etc/keystone/
[root@linux-node1 keystone]# ls
default_catalog.templates keystone.conf keystone-paste.ini logging.conf policy.json sso_callback_template.html
[root@linux-node1 keystone]# vim keystone.conf
[memcache]
servers = 192.168.56.11:11211
[token]
provider = uuid
driver = memcache
[revoke]
driver = sql
[root@linux-node1 keystone]# grep '^[a-z]' keystone.conf
admin_token = 326ee23c014a46562fd5
connection = mysql://keystone:[email protected]/keystone
servers = 192.168.56.11:11211
driver = sql
provider = uuid
driver = memcache
开启debug开关:
[root@linux-node1 keystone]# vim keystone.conf
[DEFAULT]
verbose = true
启动memcache:
[root@hostnamelinux-node1 ~]# vim /etc/sysconfig/memcached
PORT="11211"
USER="memcached"
MAXCONN="1024"
CACHESIZE="64"
OPTIONS="-l 0.0.0.0,::1"
[root@hostnamelinux-node1 ~]# systemctl enable memcached.service
Created symlink from /etc/systemd/system/multi-user.target.wants/memcached.service to /usr/lib/systemd/system/memcached.service.
[root@linux-node1 ~]# systemctl start memcached.service
配置apache:
[root@linux-node1 ~]# vim /etc/httpd/conf.d/wsgi-keystone.conf
Listen 5000
Listen 35357
WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-public
WSGIScriptAlias / /usr/bin/keystone-wsgi-public
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
= 2.4>
ErrorLogFormat "%{cu}t %M"
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
= 2.4>
Require all granted
Order allow,deny
Allow from all
WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-admin
WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
= 2.4>
ErrorLogFormat "%{cu}t %M"
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
= 2.4>
Require all granted
Order allow,deny
Allow from all
可以直接复制keystone目录的配置文件进行修改或建立软连接,需要修改日志存放目录,默认目录不存在;[root@linux-node1 ~]# cp /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
[root@linux-node1 ~]# vim /etc/httpd/conf/httpd.conf
ServerName 192.168.56.11:80
启动apache:
[root@linux-node1 ~]# systemctl enable httpd
Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.
[root@linux-node1 ~]# systemctl start httpd
[root@linux-node1 ~]# netstat -tnlp | grep httpd
tcp6 0 0 :::35357 :::* LISTEN 120896/httpd
tcp6 0 0 :::5000 :::* LISTEN 120896/httpd
tcp6 0 0 :::80 :::* LISTEN 120896/httpd
设置Keystone环境变量:
[root@linux-node1 ~]# export OS_TOKEN=326ee23c014a46562fd5
[root@linux-node1 ~]# export OS_URL=http://192.168.56.11:35357/v3
[root@linux-node1 ~]# export OS_IDENTITY_API_VERSION=3
创建域:
如果没有openstack命令安装python-openstackclient;[root@linux-node1 ~]# yum -y install python-openstackclient
如果没有默认域可以创建;
[root@linux-node1 ~]# openstack domain create --description "Default Domain" default
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description |Default Domain |
| enabled | True |
| id | 1be6f6eb0b494adea06365ddfb4ce4b2 |
| name | default |
| tags | [] |
+-------------+----------------------------------+
创建admin项目:
[root@linux-node1 ~]# openstack project create --domain default --description "Admin Project" admin
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Admin Project |
| domain_id | default |
| enabled | True |
| id | 1e5c1cd4e97b4f1f92c538a57ed91557 |
| is_domain | False |
| name | admin |
| parent_id | None |
+-------------+----------------------------------+
创建admin用户,密码admin;
[root@linux-node1 ~]# openstack user create --domain default --password-prompt admin
User Password:
Repeat User Password:
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | default |
| enabled | True |
| id | bd25f4a413df434c88f97c931ffb21e9 |
| name | admin |
+-----------+----------------------------------+
创建admin角色:
[root@linux-node1 ~]# openstack role create admin
+-------+----------------------------------+
| Field | Value |
+-------+----------------------------------+
| id | 64d8d757670044cc871223af98d0656e |
| name | admin |
+-------+----------------------------------+
把admin用户加入admin项目赋予admin角色;[root@linux-node1 ~]# openstack role add --project admin --user admin admin
创建demo项目:
[root@linux-node1 ~]# openstack project create --domain default --description "Demo Project" demo
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Demo Project |
| domain_id | default |
| enabled | True |
| id | 761cc6bb683d42c08dbbc7302ed1eb53 |
| is_domain | False |
| name | demo |
| parent_id | None |
+-------------+----------------------------------+
创建demo密码:
[root@linux-node1 ~]# openstack user create --domain default --password=demo demo
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | default |
| enabled | True |
| id | 7f35d8886a6940b09e0d5d04ca0436f2 |
| name | demo |
+-----------+----------------------------------+
创建角色:
[root@linux-node1 ~]# openstack role create user
+-------+----------------------------------+
| Field | Value |
+-------+----------------------------------+
| id | ea155cd2a72b4e4cb18c3da6edadd20d |
| name | user |
+-------+----------------------------------+
把demo用户加入demo项目,赋予user角色;[root@linux-node1 ~]# openstack role add --project demo --user demo user
创建service项目:
[root@linux-node1 ~]# openstack project create --domain default --description "Service Project" service
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Service Project |
| domain_id | default |
| enabled | True |
| id | 20c603699825493c9fff2d07095573ac |
| is_domain | False |
| name | service |
| parent_id | None |
+-------------+----------------------------------+
验证创建项目、角色、用户;
[root@linux-node1 ~]# openstack user list
+----------------------------------+-------+
| ID | Name |
+----------------------------------+-------+
| 7f35d8886a6940b09e0d5d04ca0436f2 | demo |
| bd25f4a413df434c88f97c931ffb21e9 | admin |
+----------------------------------+-------+
[root@linux-node1 ~]# openstack role list
+----------------------------------+-------+
| ID | Name |
+----------------------------------+-------+
| 64d8d757670044cc871223af98d0656e | admin |
| ea155cd2a72b4e4cb18c3da6edadd20d | user |
+----------------------------------+-------+
[root@linux-node1 ~]# openstack project list
+----------------------------------+---------+
| ID | Name |
+----------------------------------+---------+
| 1e5c1cd4e97b4f1f92c538a57ed91557 | admin |
| 20c603699825493c9fff2d07095573ac | service |
| 761cc6bb683d42c08dbbc7302ed1eb53 | demo |
+----------------------------------+---------+
[root@linux-node1 ~]# openstack role assignment list
+----------------------------------+----------------------------------+-------+----------------------------------+--------+-----------+
| Role | User | Group | Project | Domain | Inherited |
+----------------------------------+----------------------------------+-------+----------------------------------+--------+-----------+
| ea155cd2a72b4e4cb18c3da6edadd20d | 7f35d8886a6940b09e0d5d04ca0436f2 | | 761cc6bb683d42c08dbbc7302ed1eb53 | | False |
| 64d8d757670044cc871223af98d0656e | bd25f4a413df434c88f97c931ffb21e9 | | 1e5c1cd4e97b4f1f92c538a57ed91557 | | False |
+----------------------------------+----------------------------------+-------+----------------------------------+--------+-----------+
创建服务:
[root@linux-node1 ~]# openstack service create --name keystone --description "OpenStack Identity" identity
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | OpenStack Identity |
| enabled | True |
| id | 01bfde7d5be74da9a96aecd2d9cf12eb |
| name | keystone |
| type | identity |
+-------------+----------------------------------+
注册endpoint:
公网:
[root@linux-node1 ~]# openstack endpoint create --region RegionOne identity public http://192.168.56.11:5000/v2.0
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | c4b600ce1bf04ac09dd27f7c4e63f336 |
| interface | public |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 01bfde7d5be74da9a96aecd2d9cf12eb |
| service_name | keystone |
| service_type | identity |
| url | http://192.168.56.11:5000/v2.0 |
+--------------+----------------------------------+
私网:
[root@linux-node1 ~]# openstack endpoint create --region RegionOne identity internal http://192.168.56.11:5000/v2.0
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | ee8c996fbaf3466c9221ebdc78eea3f0 |
| interface | internal |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 01bfde7d5be74da9a96aecd2d9cf12eb |
| service_name | keystone |
| service_type | identity |
| url | http://192.168.56.11:5000/v2.0 |
+--------------+----------------------------------+
管理:
[root@linux-node1 ~]# openstack endpoint create --region RegionOne identity admin http://192.168.56.11:35357/v2.0
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 9f38851343004386a1103ad1df4c8624 |
| interface | admin |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 01bfde7d5be74da9a96aecd2d9cf12eb |
| service_name | keystone |
| service_type | identity |
| url | http://192.168.56.11:35357/v2.0 |
+--------------+----------------------------------+
[root@linux-node1 ~]# openstack endpoint list
+----------------------------------+-----------+--------------+--------------+---------+-----------+---------------------------------+
| ID | Region | Service Name | Service Type | Enabled | Interface | URL |
+----------------------------------+-----------+--------------+--------------+---------+-----------+---------------------------------+
| 9f38851343004386a1103ad1df4c8624 | RegionOne | keystone | identity | True | admin | http://192.168.56.11:35357/v2.0 |
| c4b600ce1bf04ac09dd27f7c4e63f336 | RegionOne | keystone | identity | True | public | http://192.168.56.11:5000/v2.0 |
| ee8c996fbaf3466c9221ebdc78eea3f0 | RegionOne | keystone | identity | True | internal | http://192.168.56.11:5000/v2.0 |
+----------------------------------+-----------+--------------+--------------+---------+-----------+---------------------------------+
清除掉环境变量:
[root@linux-node1 ~]# unset OS_TOKEN
[root@linux-node1 ~]# unset OS_URL
请求token:
[root@linux-node1 ~]# openstack --os-auth-url http://192.168.56.11:35357/v3 \
--os-project-domain-id default --os-user-domain-id default \
--os-project-name admin --os-username admin --os-auth-type password \
token issue
Password:
+------------+----------------------------------+
| Field | Value |
+------------+----------------------------------+
| expires | 2018-10-07T08:30:51.014173Z |
| id | 5057f8f5b6c74f73a915fbfb74dffceb |
| project_id | d7064a9e91934300b28cccc787161fdb |
| user_id | f8f1891482e54cb583e6b2564f2d14fb |
+------------+----------------------------------+
配置keystone环境变量:
[root@linux-node1 ~]# vim admin-openrc.sh
export OS_PROJECT_DOMAIN_ID=default
export OS_USER_DOMAIN_ID=default
export OS_PROJECT_NAME=admin
export OS_TENANT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=admin
export OS_AUTH_URL=http://192.168.56.11:35357/v3
export OS_IDENTITY_API_VERSION=3
[root@linux-node1 ~]# vim demo-openrc.sh
export OS_PROJECT_DOMAIN_ID=default
export OS_USER_DOMAIN_ID=default
export OS_PROJECT_NAME=demo
export OS_TENANT_NAME=demo
export OS_USERNAME=demo
export OS_PASSWORD=demo
export OS_AUTH_URL=http://192.168.56.11:5000/v3
export OS_IDENTITY_API_VERSION=3
[root@linux-node1 ~]# chmod +x admin-openrc.sh
[root@linux-node1 ~]# chmod +x demo-openrc.sh
[root@hostnamelinux-node1 ~]# source admin-openrc.sh
[root@linux-node1 ~]# openstack token issue
+------------+----------------------------------+
| Field | Value |
+------------+----------------------------------+
| expires | 2018-10-07T09:21:56.873147Z |
| id | da4ac1bf112446dca1d81127493d912e |
| project_id | d7064a9e91934300b28cccc787161fdb |
| user_id | f8f1891482e54cb583e6b2564f2d14fb |
+------------+----------------------------------+